Skip to content

chore: supply chain hardening (CODEOWNERS, Dependabot, Renovate, Scorecard fixes)#166

Merged
coopernetes merged 1 commit intomainfrom
chore/supply-chain-hardening
Apr 16, 2026
Merged

chore: supply chain hardening (CODEOWNERS, Dependabot, Renovate, Scorecard fixes)#166
coopernetes merged 1 commit intomainfrom
chore/supply-chain-hardening

Conversation

@coopernetes
Copy link
Copy Markdown
Owner

@coopernetes coopernetes commented Apr 16, 2026
edited
Loading

Summary

Closes out several actionable OpenSSF Scorecard alerts:

  • CODEOWNERS — satisfies the Code-Review check
  • dependabot.yml — scoped to github-actions only; satisfies the Dependency-Update-Tool check
  • renovate.json — covers gradle, gradle-wrapper, npm, and dockerfile managers; pinDigests: true keeps Dockerfile base image digests updated automatically
  • Pinned-Dependencies — pin eclipse-temurin:21-jdk and :21-jre to SHA256 manifest list digests (safe for multi-arch linux/amd64 + linux/arm64 builds)
  • Token-Permissions (codeql.yml) — add permissions: read-all at workflow level
  • Token-Permissions (ci.yml) — split dependency-submission into its own job so build-and-test drops from contents: write to contents: read

Notes

After merging, install the Renovate GitHub App on this repo to activate dependency update PRs.

Remaining Scorecard alerts not addressed here (out of scope for code changes):

  • Branch-Protection — repo settings
  • Binary-Artifacts (gradle-wrapper.jar) — industry standard, removing breaks builds
  • Fuzzing — needs a full fuzz harness
  • CII-Best-Practices — manual application at bestpractices.coreinfrastructure.org

@coopernetes coopernetes enabled auto-merge (squash) April 16, 2026 13:04
@coopernetes coopernetes disabled auto-merge April 16, 2026 13:06
@coopernetes @claude
chore: supply chain hardening (CODEOWNERS, Dependabot, Renovate, Scor…
bf4805f 
…ecard fixes)

- Add .github/CODEOWNERS (satisfies OpenSSF Scorecard Code-Review check)
- Add .github/dependabot.yml scoped to github-actions only
  (satisfies Dependency-Update-Tool check)
- Add renovate.json covering gradle, gradle-wrapper, npm, and dockerfile
  managers (no Actions overlap with Dependabot); pinDigests: true for
  Dockerfile base images
- Pin eclipse-temurin:21-jdk and :21-jre to SHA256 manifest list digests
  (satisfies Pinned-Dependencies check; safe for multi-arch builds)
- Add permissions: read-all to codeql.yml workflow level
- Split dependency-submission into its own job in ci.yml so build-and-test
  drops from contents: write to contents: read
  (both satisfy Token-Permissions check)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coopernetes coopernetes force-pushed the chore/supply-chain-hardening branch from adc78a4 to bf4805f Compare April 16, 2026 13:13
@coopernetes coopernetes changed the title chore: add CODEOWNERS, Dependabot (Actions), and Renovate (Gradle/npm) chore: supply chain hardening (CODEOWNERS, Dependabot, Renovate, Scorecard fixes) Apr 16, 2026
@coopernetes coopernetes enabled auto-merge (squash) April 16, 2026 13:14
@coopernetes coopernetes merged commit 75d580e into main Apr 16, 2026
11 checks passed
@coopernetes coopernetes deleted the chore/supply-chain-hardening branch April 16, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@coopernetes